system
(system)
17 Listopad 2007 22:11
#1
przelancza mi samoczynnie strone na inna,pojawiaa sie banery
Jesli ktos moze mi poradzic co to za problem,bylabym bardzo wdzieczna
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:59:42, on 17/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\slserv.exe D:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe D:\Downloads\My Downloads\WlanCU.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe D:\Program Files\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\Rundll32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: 207.68.176.250 auto.search.msn.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Dcads Toolbar - {41C29B07-6F91-4966-91BE-2E2841643C83} - C:\Program Files\Dcads Advanced Toolbar\toolbar.dll O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM…\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM…\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [spywareTerminator] “D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” O4 - HKLM…\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\spads.dll” DllVerify O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU…\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = D:\Downloads\My Downloads\WlanCU.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Block this popup - C:\Program Files\TalkTalk Online Security\Anti-Spyware\blockpopups.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v … 8541305638 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ … 54b810aed3 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing) O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe – End of file - 7174 bytes
system
(system)
18 Listopad 2007 19:04
#3
ComboFix 07-11-08.1 - Krzystof Nowak 2007-11-18 18:45:55.1 - NTFSx86 Running from: D:\Downloads\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:.protected C:\Documents and Settings\Krzystof Nowak\Application Data\EHMD5.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSEncryptPlugin1636.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSFolderitemsCreatePlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSIconPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSMacOSXPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSMainPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSMemoryPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSPictureMacPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSPicturePlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSPluginVersionPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSProcessPlugin1636.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSQTImporterPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSQuickTimePlugin1636.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSRectPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSRegistrationPlugin1636.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSRegistryPlugin1636.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSResPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSResStreamPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSUsernamePlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\MBSWinPlugin1635.dll C:\Documents and Settings\Krzystof Nowak\Application Data\rbap450.dll C:\Documents and Settings\Krzystof Nowak\Application Data\rbqt450.DLL C:\Documents and Settings\Krzystof Nowak\Application Data\RBShell400.dll C:\Program Files\outlook C:\Program Files\outlook\p.zip C:\Program Files\webhancer C:\WINDOWS\dat.txt C:\WINDOWS\system32\drivers\etc.protected C:\WINDOWS\system32\nsxE.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NWSAPAGENT -------\NwSapAgent ((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 ))))))))))))))))))))))))))))))) . 2007-11-18 18:43 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-18 09:07 2007-11-15 21:16 2007-11-15 21:16 2007-11-15 21:16 2007-11-15 21:16 80,101 --a------ C:\WINDOWS\SYSTEM32\dcads-remove.exe 2007-11-15 21:16 40,731 --a------ C:\WINDOWS\SYSTEM32\superiorads-uninst.exe 2007-11-15 19:15 2007-11-13 09:06 2007-11-12 10:54 2007-11-11 19:08 2007-11-05 12:35 65,024 --a------ C:\WINDOWS\SYSTEM32\spads.dll 2007-10-26 01:39 2007-10-26 00:54 2007-10-20 10:46 584,192 --------- C:\WINDOWS\SYSTEM32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-18 17:51 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-17 14:04 --------- d-----w C:\Documents and Settings\Krzystof Nowak\Application Data\Spyware Terminator 2007-11-17 13:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2007-11-15 12:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-15 12:32 --------- d-----w C:\Documents and Settings\Krzystof Nowak\Application Data\Symantec 2007-11-15 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-12 22:56 --------- d-----w C:\Documents and Settings\Krzystof Nowak\Application Data\Skype 2007-11-11 17:27 --------- d-----w C:\Program Files\Logitech 2007-11-02 17:56 --------- d-----w C:\Program Files\CCleaner 2007-11-01 06:44 --------- d-----w C:\Program Files\Common Files\Motive 2007-10-20 08:48 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-10-20 08:48 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-09-11 09:35 52,224 —ha-w C:\Documents and Settings\Krzystof Nowak\Application Data\EHZComp.dll 2007-09-11 09:35 18,432 —ha-w C:\Documents and Settings\Krzystof Nowak\Application Data\EHEncrypt.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{41C29B07-6F91-4966-91BE-2E2841643C83}”= C:\Program Files\Dcads Advanced Toolbar\toolbar.dll [2007-11-01 14:39 561152] [HKEY_CLASSES_ROOT\CLSID{41C29B07-6F91-4966-91BE-2E2841643C83}] [HKEY_CLASSES_ROOT\CoolToolBar.IEBarLogic.1] [HKEY_CLASSES_ROOT\TypeLib{6B4FA1DD-A353-49F8-A650-79C21D6B4824}] [HKEY_CLASSES_ROOT\CoolToolBar.IEBarLogic] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38] “LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [2004-10-08 11:52] “LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [2004-10-08 12:31] “LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [2004-10-08 12:24] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 10:06] “SpywareTerminator”=“D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2007-08-13 22:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 07:56] “LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe” [2007-02-09 10:50] “LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [2004-10-08 12:06] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-02-09 10:50:59] Wireless Configuration Utility HW.51.lnk - D:\Downloads\My Downloads\WlanCU.exe [2006-02-23 13:52:48] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=c:\progra~1\google\google~1\goec62~1.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^blueyonder Instant Support Tool.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\blueyonder Instant Support Tool.lnk backup=C:\WINDOWS\pss\blueyonder Instant Support Tool.lnkCommon Startup C:\WINDOWS\Options\OEMReset.exe /Audit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster] “C:\Program Files\VoipBuster.com \VoipBuster\VoipBuster.exe” -nosplash -minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheap] “C:\Program Files\VoipCheap\VoipCheap.exe” -nosplash -minimized R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys R1 sp_rsdrv2;Spyware Terminator Driver 2;??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\MRV8335XP.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-18 18:54:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-18 18:58:23 - machine was rebooted .
— E O F —
Złączono Posta : 18.11.2007 (Nie) 20:12
A to raport z silent runners
[
b]“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “LDM” = “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe” [“Logitech”] “LogitechSoftwareUpdate” = ““C:\Program Files\Logitech\Video\ManifestEngine.exe” boot” [“Logitech Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “LVCOMSX” = “C:\WINDOWS\system32\LVCOMSX.EXE” [“Logitech Inc.”] “LogitechVideoRepair” = "C:\Program Files\Logitech\Video\ISStart.exe " [“Logitech Inc.”] “LogitechVideoTray” = “C:\Program Files\Logitech\Video\LogiTray.exe” [“Logitech Inc.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “SpywareTerminator” = ““D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”” [“Crawler.com ”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Notifier BHO” \InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Logitech Pictures” -> {HKLM…CLSID} = “My Logitech Pictures” \InProcServer32(Default) = “C:\Program Files\Logitech\Video\Namespc2.dll” [“Logitech Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{BD88A479-9623-4897-8546-BC62B9628F44}” = “SPTHandler” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{9EF34FF2-3396-4527-9D27-04C8C1C67806}” = “Microsoft AntiSpyware Service Hook” -> {HKLM…CLSID} = “Microsoft.AntiSpyware.ShellExecuteHook.1” \InProcServer32(Default) = “C:\Program Files\Microsoft AntiSpyware\shellextension.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “c:\progra~1\google\google~1\goec62~1.dll” [“Google”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “GinaDLL” = “MrvGINA.dll” [“Marvell®”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”| [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com ”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com ”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com ”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Krzystof Nowak\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp” Startup items in “Krzystof Nowak” & “All Users” startup folders: ---------------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup “Logitech Desktop Messenger” -> shortcut to: “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start” [“Logitech”] “Wireless Configuration Utility HW.51” -> shortcut to: “D:\Downloads\My Downloads\WlanCU.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] “{41C29B07-6F91-4966-91BE-2E2841643C83}” = “Dcads Toolbar” -> {HKLM…CLSID} = “Dcads Toolbar” \InProcServer32(Default) = “C:\Program Files\Dcads Advanced Toolbar\toolbar.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided) -> {HKLM…CLSID} = “Real.com ” \InProcServer32(Default) = “C:\WINDOWS\System32\Shdocvw.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}” {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ “ButtonText” = “Real.com ” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Spyware Terminator Realtime Shield Service, sp_rssrv, ““D:\Program Files\Spyware Terminator\sp_rsser.exe”” [“Crawler.com ”] Symantec Core LC, Symantec Core LC, ““C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe”” [“Symantec Corporation”] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] ---------- (launch time: 2007-11-18 19:06:32) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 118 seconds, including 18 seconds for message boxes)
Gutek
(Gutek)
18 Listopad 2007 21:35
#4
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo